Out-of-Band Authentication - Two-Factor Authentication - SMS

SMS-based one-time passwords (OTPs) are the most common form of out-of-band authentication. Text messaging based authentication is relatively easy to compromise. The entire transport layer for SMS is insecure and the text messaging protocol does not support encrypted communications. Although SMS-based OTPs are insecure, use persists because of their ability to work on old legacy phones. Out-of-band authentication and SMS OTPs are easily susceptible to Man-in-the-Middle and Man-in-the-Mobile type of attacks.

There are seven major flaws with SMS OTPs:

Does not prevent sophisticated attacks like man-in-the-mobile (MitMo)

There is no PIN control to generate it

The entire transport layer is insecure

Network latency - SMS delivery can sometimes be delayed by hours!

Requires mobile coverage - Does not work when there is no network coverage

Fraudulent phone reassignment also known as Phone porting scam

Large operating expenditure (OPEX) for mass deployments

Instituting SAASPASS two-step verification mitigates against many of these attacks. SAASPASS also works on legacy feature phones like Java ME and Blackberry devices. Replace outdated problematic out-of-band authentication with SAASPASS.